Re: [lamps] [EXTERNAL] Re: [Pqc] Multiple drafts with PQ algorithm key encodings that are not compatible.
Christine Cloostermans <cvvrede@gmail.com> Thu, 29 September 2022 14:55 UTC
Return-Path: <cvvrede@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5345CC1522C9; Thu, 29 Sep 2022 07:55:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.004
X-Spam-Level:
X-Spam-Status: No, score=-7.004 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TO1tx8aSeOpR; Thu, 29 Sep 2022 07:55:25 -0700 (PDT)
Received: from mail-oo1-xc2f.google.com (mail-oo1-xc2f.google.com [IPv6:2607:f8b0:4864:20::c2f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2EA3C1522DB; Thu, 29 Sep 2022 07:55:25 -0700 (PDT)
Received: by mail-oo1-xc2f.google.com with SMTP id c22-20020a4a4f16000000b00474a44441c8so265339oob.7; Thu, 29 Sep 2022 07:55:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=k9nI1ZYLOO83ufRbZEObP/EaZoS/oyL7nqnHGO2rL6I=; b=QZOm5Cl9Fm3WGEGR9J9k3fTwGzGXawfaZNumXnu2gbZGaiEE/VJocpfrZS9e7kFjLR 12fr5Tru57xvUjo2h1CZj0/vFniraT8ImMiSae4l+1bmrYJQJQhnTnpRfcIh9NYBd4vO Fb9wGK88YtSqZzFXgaPkHbcy70Y1rhgQSr5uXhZYhLAHNCZ5gTXmj54K3EwfmUmOJBlF ZKfqgMNRVhUosSV9mgp80kYexUkWur3JZU61PlAePRFIaEtUJrQsyPwSjfsmhfeILoWJ u16I4187N9TLZ9v6QTnBMDXdWJcnbW/AkEFBbEoUw1k/9KBMDXDYtzkZkuCGyUpA0fDm 1GSQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=k9nI1ZYLOO83ufRbZEObP/EaZoS/oyL7nqnHGO2rL6I=; b=qKn2PEIRTezkpN5HOgfoSWUusWZKPt57ZF7VWbxzZRDq7f3EpXJrHP+dRWkG6TZboC cT0z2i4ggn2LKxSzs+apjxv7x6SfDyHRL3wrbui2VwSGKoZxvzImuUjqj4ixUSjQKSb2 t98EzDSo0+6j1jQBAbcyp7d9KfsNBshAGJUcW0Er8WuqpESJZ2El0EXRUVBUmTzz14UU fOy5nqYmQpp9au4pb2zUZ0aNb8aXRiMrlHHIl8LATLPLlC2BunM4vHbpvFkrp+qsws/k /bSkvUEcs7EkdWyqtDONZc/K5/Dh8EpBazlQy+ODjCuP5ALmz1U23mynzz3fWBeKI9b2 0MDQ==
X-Gm-Message-State: ACrzQf3RFWMi9TOop05+QCVrfNFInS+O0XIt2qAnYjbXHw8XyW+TPRnN hSdDZDVWF38X8kFQwmY5kRkO2NSn9iof54DXuk4=
X-Google-Smtp-Source: AMsMyM7TaLCaTYjU/nnEhgQQFeXJucImHpG6QAm6HvnKNyOOepnjUQPsa4OcZuKvAIiJ9MLMh2TYtiH9mXKITI6yOcI=
X-Received: by 2002:a05:6830:160d:b0:655:ca9a:fd3d with SMTP id g13-20020a056830160d00b00655ca9afd3dmr1500039otr.135.1664463324255; Thu, 29 Sep 2022 07:55:24 -0700 (PDT)
MIME-Version: 1.0
References: <574516F5-098F-4CB6-8D9C-F193BF1B1507@amazon.com> <2B8DF0B3-B79C-4688-B481-737BCCC9EFF1@westerbaan.name> <CH0PR11MB5739CCCC7C99CC2F194C06719F549@CH0PR11MB5739.namprd11.prod.outlook.com> <CAHzQBQWo9514PeeCatTcOv58muG9LLzihWr1+v9NOuAoPhTysg@mail.gmail.com> <CH0PR11MB5739B2EA9A180EDF503BE0D49F579@CH0PR11MB5739.namprd11.prod.outlook.com>
In-Reply-To: <CH0PR11MB5739B2EA9A180EDF503BE0D49F579@CH0PR11MB5739.namprd11.prod.outlook.com>
From: Christine Cloostermans <cvvrede@gmail.com>
Date: Thu, 29 Sep 2022 16:55:12 +0200
Message-ID: <CAHzQBQWXqFspRsCUyVTEd03Y5b6vZ-Dt2fmGxPgLT7X+=0BwZA@mail.gmail.com>
To: Mike Ounsworth <Mike.Ounsworth@entrust.com>
Cc: Bas Westerbaan <bas@westerbaan.name>, "Massimo, Jake" <jakemas@amazon.com>, John Gray <John.Gray=40entrust.com@dmarc.ietf.org>, pqc@ietf.org, spasm@ietf.org, cfrg@ietf.org, "Panos Kampanakis (pkampana)" <pkampana@cisco.com>, Sean Turner <sean@sn3rd.com>, sid@zurich.ibm.com, bhe@zurich.ibm.com, Tamas Visegrady <tvi@zurich.ibm.com>, osb@zurich.ibm.com, dieter.bong@utimaco.com, Joppe Bos <joppe.bos@nxp.com>, "Markku-Juhani O. Saarinen" <mjos@pqshield.com>
Content-Type: multipart/alternative; boundary="0000000000002f195705e9d21115"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/9mOUxqzJ5NPVBgqYAhfKfCQmMic>
X-Mailman-Approved-At: Thu, 29 Sep 2022 11:53:39 -0700
Subject: Re: [lamps] [EXTERNAL] Re: [Pqc] Multiple drafts with PQ algorithm key encodings that are not compatible.
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Sep 2022 14:55:30 -0000
That would be in the LAMPS WG. Thanks and cheers, Christine On Thu, Sep 29, 2022, 15:26 Mike Ounsworth <Mike.Ounsworth@entrust.com> wrote: > Thanks Christine! Valuable work, and good to see you still active in this > space! > > > > Last question from me: which working group are you doing this through? I > just want to make sure I don’t miss updates and discussion! > > > > --- > > *Mike* Ounsworth > > > > *From:* Christine Cloostermans <cvvrede@gmail.com> > *Sent:* September 29, 2022 4:48 AM > *To:* Mike Ounsworth <Mike.Ounsworth@entrust.com> > *Cc:* Bas Westerbaan <bas@westerbaan.name>; Massimo, Jake < > jakemas@amazon.com>; John Gray <John.Gray=40entrust.com@dmarc.ietf.org>; > pqc@ietf.org; spasm@ietf.org; cfrg@ietf.org; Panos Kampanakis (pkampana) < > pkampana@cisco.com>; Sean Turner <sean@sn3rd.com>; sid@zurich.ibm.com; > bhe@zurich.ibm.com; tvi@zurich.ibm.com; osb@zurich.ibm.com; > dieter.bong@utimaco.com; joppe.bos@nxp.com; Markku-Juhani O. Saarinen < > mjos@pqshield.com> > *Subject:* Re: [EXTERNAL] Re: [Pqc] Multiple drafts with PQ algorithm key > encodings that are not compatible. > > > > Hi, > > > > Fielding a couple of the questions at once: > > > > - The plan is to publish it as an RFC. At the last IETF meeting it was > decided it would make sense to split it into multiple RFCs (one per > winner). We are working on the split. > > - The split includes a Sphincs+ document. Initially we considered only the > finalists, but now also added Sphincs+ as it is now a winner. > > - Splitting between a seed and the full key is intesting. This might be a > problem to be fielded in LMS/XMSS as well. Different OIDs seems like it > would become a long list, but I am not sure whether that is a problem. > > > > Cheers, > > > > Christine > > > > Op wo 28 sep. 2022 om 23:39 schreef Mike Ounsworth < > Mike.Ounsworth@entrust.com>: > > > So I’d propose as format either storing the opaque private key (as > specified by the CRYSTALS team) or the seed. > > > > I like the idea. What’s the easiest way for a parser trying to read this > off disk to know the difference between: > > > > dilithiumPrivateKey OCTET STRING > > and > > dilithiumPrivateKeySeed OCTET STRING > > ? > > > > Different PrivateKeyAlgorithmIdentifier OIDs? > > > > --- > Mike Ounsworth > Software Security Architect, Entrust > > > > *From:* Bas Westerbaan <bas@westerbaan.name> > *Sent:* September 28, 2022 4:31 PM > *To:* Massimo, Jake <jakemas@amazon.com> > *Cc:* Mike Ounsworth <Mike.Ounsworth@entrust.com>; John Gray <John.Gray= > 40entrust.com@dmarc.ietf.org>; pqc@ietf.org; spasm@ietf.org; cfrg@ietf.org; > Panos Kampanakis (pkampana) <pkampana@cisco.com>; Sean Turner < > sean@sn3rd.com>; cvvrede@gmail.com; sid@zurich.ibm.com; bhe@zurich.ibm.com; > tvi@zurich.ibm.com; osb@zurich.ibm.com; dieter.bong@utimaco.com; > joppe.bos@nxp.com; Markku-Juhani O. Saarinen <mjos@pqshield.com> > *Subject:* [EXTERNAL] Re: [Pqc] Multiple drafts with PQ algorithm key > encodings that are not compatible. > > > > WARNING: This email originated outside of Entrust. > DO NOT CLICK links or attachments unless you trust the sender and know the > content is safe. > ------------------------------ > > DilithiumPrivateKey ::= SEQUENCE { > > version Version, > > privateKeyAlgorithm PrivateKeyAlgorithmIdentifier, > > privateKey OCTET STRING, > > publicKey [0] IMPLICIT > DilithiumPublicKey OPTIONAL > > } > > > > PQC private keys are typically rather large and, for many schemes can be > generated cheaply from a small seed (such as with Dilithium). That’s > helpful if you store many private keys or are rather constrained in storage. > > > > So I’d propose as format either storing the opaque private key (as > specified by the CRYSTALS team) or the seed. > > > > Best, > > > > Bas > > > > > > > > > > > > i.e., the parameters are defined/contained within privateKeyAlgorithm. > This means we can support the byte array encoding for the private key > proposed by the algorithm designers in privateKey an OCTET STRING. > > > > Thoughts? > > > > Cheers, > > Jake > > > > *From: *Mike Ounsworth <Mike.Ounsworth@entrust.com> > *Date: *Wednesday, 28 September 2022 at 13:26 > *To: *John Gray <John.Gray=40entrust.com@dmarc.ietf.org>, "pqc@ietf.org" < > pqc@ietf.org>, "spasm@ietf.org" <spasm@ietf.org>, "cfrg@ietf.org" < > cfrg@ietf.org> > *Cc: *"Massimo, Jake" <jakemas@amazon.com>, "Panos Kampanakis (pkampana)" > <pkampana@cisco.com>, Sean Turner <sean@sn3rd.com>, "bas@westerbaan.name" > <bas@westerbaan.name>, "cvvrede@gmail.com" <cvvrede@gmail.com>, " > sid@zurich.ibm.com" <sid@zurich.ibm.com>, "bhe@zurich.ibm.com" < > bhe@zurich.ibm.com>, "tvi@zurich.ibm.com" <tvi@zurich.ibm.com>, " > osb@zurich.ibm.com" <osb@zurich.ibm.com>, "dieter.bong@utimaco.com" < > dieter.bong@utimaco.com>, "joppe.bos@nxp.com" <joppe.bos@nxp.com> > *Subject: *RE: [EXTERNAL][Pqc] Multiple drafts with PQ algorithm key > encodings that are not compatible. > > > > *CAUTION*: This email originated from outside of the organization. Do not > click links or open attachments unless you can confirm the sender and know > the content is safe. > > > > My curiosity is about the procedural aspect of draft-uni-qsckeys. Is this > attached to a working group? Are you indenting to publishing this as an > RFC, or is this just to bridge prototyping work until NIST publishes real > standards? > > > > --- > Mike Ounsworth > Software Security Architect, Entrust > > > > *From:* Pqc <pqc-bounces@ietf.org> *On Behalf Of *John Gray > *Sent:* September 28, 2022 1:34 PM > *To:* pqc@ietf.org; spasm@ietf.org; cfrg@ietf.org > *Cc:* Massimo, Jake <jakemas@amazon.com>; Panos Kampanakis (pkampana) < > pkampana@cisco.com>; Sean Turner <sean@sn3rd.com>; bas@westerbaan.name; > cvvrede@gmail.com; sid@zurich.ibm.com; bhe@zurich.ibm.com; > tvi@zurich.ibm.com; osb@zurich.ibm.com; dieter.bong@utimaco.com; > joppe.bos@nxp.com > *Subject:* [EXTERNAL] [Pqc] Multiple drafts with PQ algorithm key > encodings that are not compatible. > > > > WARNING: This email originated outside of Entrust. > DO NOT CLICK links or attachments unless you trust the sender and know the > content is safe. > ------------------------------ > > We are doing some interoperability testing with different vendors using > the new Dilithium, Falcon and SPHINCS+ algorithms. We have come across at > least two drafts which are trying to specify the ASN.1 encoding formats for > these algorithms. However, the encoding formats are not compatible with > each other. I imagine the authors of these drafts should get together and > come up with a common format (I have copied them on this email). This > means we must choose one or the other, or even worse, support multiple > formats (which can lead to bugs). Initially I started more than a year > ago using my own encoding format for internal prototyping, but now need to > interoperate with others outside of our organization, so a common format is > definitely needed at this point. 😊 > > > > We fully realize the OID values will be changing once official OIDs are > registered, (changing those are trivial), but the ASN.1 formats of the > public and private keys is kind of important as well… 😊 > > > > For example: > > > > The LAMPS group has a specification of Dilithium public keys in this draft: > > https://datatracker.ietf.org/doc/draft-massimo-lamps-pq-sig-certificates/ > <https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/draft-massimo-lamps-pq-sig-certificates/__;!!FJ-Y8qCqXTj2!eSTwME-1IjQkfjJFS0X7lRzbYJ1PhEzSelmmUcLwF9JaceAAKFQwvLRif4O6vS8ijYlK0TG2cYO4rpBHtq5AG1OZQAKxlou-rKXm$> > > > > the public key format is this: > > > > The Dilithium public key MUST be encoded using the ASN.1 type > > DilithiumPublicKey: > > > > DilithiumPublicKey ::= OCTET STRING > > > > The private key format is this: > > > > DilithiumPrivateKey ::= SEQUENCE { > > rho BIT STRING, - nonce/seed > > K BIT STRING, - key/seed > > tr BIT STRING, - PRF bytes (CRH in spec.) > > s1 BIT STRING, - vector l > > s2 BIT STRING, - vector k > > t0 BIT STRING, - encoded vector > > PublicKey IMPLICIT DilithiumPublicKey OPTIONAL > > } > > > > > > In this draft: > > https://datatracker.ietf.org/doc/draft-uni-qsckeys/01/ > <https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/draft-uni-qsckeys/01/__;!!FJ-Y8qCqXTj2!eSTwME-1IjQkfjJFS0X7lRzbYJ1PhEzSelmmUcLwF9JaceAAKFQwvLRif4O6vS8ijYlK0TG2cYO4rpBHtq5AG1OZQAKxlnAfHtmn$> > > > > Dilithium keys have this encoding: > > > > > > DilithiumPublicKey ::= SEQUENCE { > > rho OCTET STRING, > > t1 OCTET STRING > > } > > > > > > DilithiumPrivateKey ::= SEQUENCE { > > version INTEGER {v0(0)} -- version (round 3) > > nonce BIT STRING, -- rho > > key BIT STRING, -- key/seed/D > > tr BIT STRING, -- PRF bytes (CRH in spec) > > s1 BIT STRING, -- vector(L) > > s2 BIT STRING, -- vector(K) > > t0 BIT STRING, > > publicKey [0] IMPLICIT DilithiumPublicKey OPTIONAL > > -- see next section > > } > > > > The draft-uni-qsckeys does not cover SPHINCS+, it does cover Falcon, but > I don’t know of another draft that specifies Falcon. > > > > There are also encodings for Kyber mentioned in two documents that I see. > There is an early > https://datatracker.ietf.org/doc/draft-ietf-lamps-kyber-certificates/ > <https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/draft-ietf-lamps-kyber-certificates/__;!!FJ-Y8qCqXTj2!eSTwME-1IjQkfjJFS0X7lRzbYJ1PhEzSelmmUcLwF9JaceAAKFQwvLRif4O6vS8ijYlK0TG2cYO4rpBHtq5AG1OZQAKxlubO7POn$> > draft which mentions it is up to the document defining Kyber to give more > details. In the draft-uni-qsckeys draft it is more specific. > > > > https://datatracker.ietf.org/doc/draft-uni-qsckeys/01/ > <https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/draft-uni-qsckeys/01/__;!!FJ-Y8qCqXTj2!eSTwME-1IjQkfjJFS0X7lRzbYJ1PhEzSelmmUcLwF9JaceAAKFQwvLRif4O6vS8ijYlK0TG2cYO4rpBHtq5AG1OZQAKxlnAfHtmn$> > > > > KyberPrivateKey ::= SEQUENCE { > > version INTEGER {v0(0)} -- version (round 3) > > s OCTET STRING, -- sample s > > publicKey [0] IMPLICIT KyberPublicKey OPTIONAL, > > -- see next section > > hpk OCTET STRING -- H(pk) > > nonce OCTET STRING, -- z > > } > > > > Partial public key encoding: > > > > KyberPrivateKey ::= SEQUENCE { > > version INTEGER {v0(0)} -- version (round 3) > > s OCTET STRING, -- EMPTY > > publicKey [0] IMPLICIT KyberPublicKey OPTIONAL, > > -- see next section > > hpk OCTET STRING -- EMPTY > > nonce OCTET STRING, -- d > > } > > > > Full public key encoding: > > > > KyberPublicKey ::= SEQUENCE { > > t OCTET STRING, > > rho OCTET STRING > > } > > > > Is https://datatracker.ietf.org/doc/draft-uni-qsckeys/01/ > <https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/draft-uni-qsckeys/01/__;!!FJ-Y8qCqXTj2!eSTwME-1IjQkfjJFS0X7lRzbYJ1PhEzSelmmUcLwF9JaceAAKFQwvLRif4O6vS8ijYlK0TG2cYO4rpBHtq5AG1OZQAKxlnAfHtmn$> > meant to become the document that defines the key formats for all the PQ > keys that will be standardized? If not, then it should probably just > refer to whatever documents will define the formats so that we can at least > agree on one common format for the PQ keys. > > > > > > Cheers, > > > > John Gray > > Entrust > > *Any email and files/attachments transmitted with it are confidential and > are intended solely for the use of the individual or entity to whom they > are addressed. If this message has been sent to you in error, you must not > copy, distribute or disclose of the information it contains. Please notify > Entrust immediately and delete the message from your system.* > >
- [lamps] Multiple drafts with PQ algorithm key enc… John Gray
- Re: [lamps] [EXTERNAL] [Pqc] Multiple drafts with… Mike Ounsworth
- Re: [lamps] [Pqc] Multiple drafts with PQ algorit… Massimo, Jake
- Re: [lamps] [Pqc] Multiple drafts with PQ algorit… Bas Westerbaan
- Re: [lamps] [EXTERNAL] Re: [Pqc] Multiple drafts … Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: [Pqc] Multiple drafts … Christine Cloostermans
- Re: [lamps] [EXTERNAL] Re: [Pqc] Multiple drafts … Mike Ounsworth
- Re: [lamps] Multiple drafts with PQ algorithm key… Russ Housley
- Re: [lamps] Multiple drafts with PQ algorithm key… Tim Hollebeek
- Re: [lamps] Multiple drafts with PQ algorithm key… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] Multiple drafts with PQ algorithm key… Russ Housley
- Re: [lamps] Multiple drafts with PQ algorithm key… Tim Hollebeek
- Re: [lamps] Multiple drafts with PQ algorithm key… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] [EXTERNAL] Re: [Pqc] Multiple drafts … Christine Cloostermans
- Re: [lamps] Multiple drafts with PQ algorithm key… Markku-Juhani O. Saarinen
- Re: [lamps] [EXTERNAL] Re: Multiple drafts with P… John Gray
- Re: [lamps] Multiple drafts with PQ algorithm key… Kampanakis, Panos
- Re: [lamps] Multiple drafts with PQ algorithm key… Mike Ounsworth
- Re: [lamps] Multiple drafts with PQ algorithm key… Kris Kwiatkowski
- Re: [lamps] [EXTERNAL] Re: Multiple drafts with P… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: Multiple drafts with P… Tomas Gustavsson
- Re: [lamps] [Pqc] Multiple drafts with PQ algorit… Dieter Bratko